Restricting Login to only allow certain AD groups to intranet

Marty Drill asked on October 8, 2014 03:24

Hey everyone, So I have spent a while trolling through these forums looking for some answers, with no luck. I am assuming its a simple setting change to make this work, but I can't figure it out

I wish to restrict login to a kentico (v7) intranet site to only allow windows AD people from certain groups to be able to login.

What I have done so far... I have installed the site, enabled windows Auth in IIS, and run the import tool to only import users from (example) MYDOMAIN\intranet. However, anyone that is part of the domian is still able to log into the site. But I only want people in MYDOMAIN\intranet to be able to login

I have tried things like: http://devnet.kentico.com/forums/f46/t18598/more-detail-about-windows-authentication https://devnet.kentico.com/forums/f58/fp10/t24587/updating-existing-user-s-roles-in-custom-securi https://docs.kentico.com/display/K8/Reference+-+Web.config+application+keys#Reference-Web.configapplicationkeys-ActiveDirectorysettings

With no luck

Any help would be appreciated

Cheers

Recent Answers

Tomas Hruby answered on December 1, 2014 17:03

Hi Marty,

Basically there are 3 ways of changing the authorization process.

First of all, you can define authorization on the IIS level and add following configuration to your web.config (which is described in more detail here): 

<authorization>
        <allow roles="DOMAIN\role " />
</authorization>
However here you define authorization for the whole site (both admin UI and live site).

Then you can modify our authentication handler (SecurityEvents.Authenticate.Execute ) to cherry-pick only desired users. The code will look something like this

The third option is to completely override our membership providers by changing system.web.membership and system.web.roleManager configurations in your web.config and replace them with your implementations where you validate user relationships.

For me the most correct option would be the second one.

Hope this helps.

Cheers

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.